* [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
@ 2021-12-31 17:08 ` kernel test robot
0 siblings, 0 replies; 8+ messages in thread
From: kernel test robot @ 2021-12-31 17:08 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: kbuild-all, devel, linux-kernel
tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
smatch warnings:
fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
vim +59 fs/d_path.c
b0cfcdd9b9672e Linus Torvalds 2021-07-16 55
b0cfcdd9b9672e Linus Torvalds 2021-07-16 56 static bool prepend(struct prepend_buffer *p, const char *str, int namelen)
b0cfcdd9b9672e Linus Torvalds 2021-07-16 57 {
b0cfcdd9b9672e Linus Torvalds 2021-07-16 58 // Already overflowed?
b0cfcdd9b9672e Linus Torvalds 2021-07-16 @59 if (p->len < 0)
b0cfcdd9b9672e Linus Torvalds 2021-07-16 60 return false;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 61
b0cfcdd9b9672e Linus Torvalds 2021-07-16 62 // Will overflow?
b0cfcdd9b9672e Linus Torvalds 2021-07-16 63 if (p->len < namelen) {
b0cfcdd9b9672e Linus Torvalds 2021-07-16 64 // Fill as much as possible from the end of the name
b0cfcdd9b9672e Linus Torvalds 2021-07-16 65 str += namelen - p->len;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 66 p->buf -= p->len;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 67 prepend_copy(p->buf, str, p->len);
b0cfcdd9b9672e Linus Torvalds 2021-07-16 68 p->len = -1;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 69 return false;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 70 }
b0cfcdd9b9672e Linus Torvalds 2021-07-16 71
b0cfcdd9b9672e Linus Torvalds 2021-07-16 72 // Fits fully
ad08ae586586ea Al Viro 2021-05-12 73 p->len -= namelen;
ad08ae586586ea Al Viro 2021-05-12 74 p->buf -= namelen;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 75 return prepend_copy(p->buf, str, namelen);
7a5cf791a74764 Al Viro 2018-03-05 76 }
7a5cf791a74764 Al Viro 2018-03-05 77
:::::: The code at line 59 was first introduced by commit
:::::: b0cfcdd9b9672ea90642f33d6c0dd8516553adf2 d_path: make 'prepend()' fill up the buffer exactly on overflow
:::::: TO: Linus Torvalds <torvalds@linux-foundation.org>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 8+ messages in thread
* [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
@ 2021-12-31 17:08 ` kernel test robot
0 siblings, 0 replies; 8+ messages in thread
From: kernel test robot @ 2021-12-31 17:08 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 2615 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp(a)intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
smatch warnings:
fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
vim +59 fs/d_path.c
b0cfcdd9b9672e Linus Torvalds 2021-07-16 55
b0cfcdd9b9672e Linus Torvalds 2021-07-16 56 static bool prepend(struct prepend_buffer *p, const char *str, int namelen)
b0cfcdd9b9672e Linus Torvalds 2021-07-16 57 {
b0cfcdd9b9672e Linus Torvalds 2021-07-16 58 // Already overflowed?
b0cfcdd9b9672e Linus Torvalds 2021-07-16 @59 if (p->len < 0)
b0cfcdd9b9672e Linus Torvalds 2021-07-16 60 return false;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 61
b0cfcdd9b9672e Linus Torvalds 2021-07-16 62 // Will overflow?
b0cfcdd9b9672e Linus Torvalds 2021-07-16 63 if (p->len < namelen) {
b0cfcdd9b9672e Linus Torvalds 2021-07-16 64 // Fill as much as possible from the end of the name
b0cfcdd9b9672e Linus Torvalds 2021-07-16 65 str += namelen - p->len;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 66 p->buf -= p->len;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 67 prepend_copy(p->buf, str, p->len);
b0cfcdd9b9672e Linus Torvalds 2021-07-16 68 p->len = -1;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 69 return false;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 70 }
b0cfcdd9b9672e Linus Torvalds 2021-07-16 71
b0cfcdd9b9672e Linus Torvalds 2021-07-16 72 // Fits fully
ad08ae586586ea Al Viro 2021-05-12 73 p->len -= namelen;
ad08ae586586ea Al Viro 2021-05-12 74 p->buf -= namelen;
b0cfcdd9b9672e Linus Torvalds 2021-07-16 75 return prepend_copy(p->buf, str, namelen);
7a5cf791a74764 Al Viro 2018-03-05 76 }
7a5cf791a74764 Al Viro 2018-03-05 77
:::::: The code at line 59 was first introduced by commit
:::::: b0cfcdd9b9672ea90642f33d6c0dd8516553adf2 d_path: make 'prepend()' fill up the buffer exactly on overflow
:::::: TO: Linus Torvalds <torvalds@linux-foundation.org>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
2021-12-31 17:08 ` kernel test robot
@ 2021-12-31 19:35 ` Al Viro
-1 siblings, 0 replies; 8+ messages in thread
From: Al Viro @ 2021-12-31 19:35 UTC (permalink / raw)
To: kernel test robot; +Cc: Greg Kroah-Hartman, kbuild-all, devel, linux-kernel
On Sat, Jan 01, 2022 at 01:08:41AM +0800, kernel test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
> head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
> commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
> config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp@intel.com/config)
> compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> smatch warnings:
> fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
What do you mean, "unsigned p->len"?
->len really *can* be negative - that's how running out of buffer is indicated.
Greg, I stand by the comment I made back in July - this kind of "hardening" is
useless; there's no legitimate reason to pass a huge buffer length, especially
since there's a limit on the length of pathname any syscall would accept.
See https://www.spinics.net/lists/linux-fsdevel/msg200370.html for the
variant I would prefer.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
@ 2021-12-31 19:35 ` Al Viro
0 siblings, 0 replies; 8+ messages in thread
From: Al Viro @ 2021-12-31 19:35 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]
On Sat, Jan 01, 2022 at 01:08:41AM +0800, kernel test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
> head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
> commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
> config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp(a)intel.com/config)
> compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> smatch warnings:
> fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
What do you mean, "unsigned p->len"?
->len really *can* be negative - that's how running out of buffer is indicated.
Greg, I stand by the comment I made back in July - this kind of "hardening" is
useless; there's no legitimate reason to pass a huge buffer length, especially
since there's a limit on the length of pathname any syscall would accept.
See https://www.spinics.net/lists/linux-fsdevel/msg200370.html for the
variant I would prefer.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
2021-12-31 19:35 ` Al Viro
@ 2022-01-01 13:08 ` Greg Kroah-Hartman
-1 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2022-01-01 13:08 UTC (permalink / raw)
To: Al Viro; +Cc: kernel test robot, devel, kbuild-all, linux-kernel
On Fri, Dec 31, 2021 at 07:35:07PM +0000, Al Viro wrote:
> On Sat, Jan 01, 2022 at 01:08:41AM +0800, kernel test robot wrote:
> > tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
> > head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
> > commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
> > config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp@intel.com/config)
> > compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> >
> > smatch warnings:
> > fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
>
> What do you mean, "unsigned p->len"?
>
> ->len really *can* be negative - that's how running out of buffer is indicated.
>
> Greg, I stand by the comment I made back in July - this kind of "hardening" is
> useless; there's no legitimate reason to pass a huge buffer length, especially
> since there's a limit on the length of pathname any syscall would accept.
> See https://www.spinics.net/lists/linux-fsdevel/msg200370.html for the
> variant I would prefer.
Sorry, yes, I agree with you, but never deleted this commit from this
"scratch" branch of mine. I'll go rebase the branch and purge it from
the system so that 0-day doesn't hit it anymore, sorry for the noise.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
@ 2022-01-01 13:08 ` Greg Kroah-Hartman
0 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2022-01-01 13:08 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 1515 bytes --]
On Fri, Dec 31, 2021 at 07:35:07PM +0000, Al Viro wrote:
> On Sat, Jan 01, 2022 at 01:08:41AM +0800, kernel test robot wrote:
> > tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
> > head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
> > commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
> > config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp(a)intel.com/config)
> > compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> >
> > smatch warnings:
> > fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
>
> What do you mean, "unsigned p->len"?
>
> ->len really *can* be negative - that's how running out of buffer is indicated.
>
> Greg, I stand by the comment I made back in July - this kind of "hardening" is
> useless; there's no legitimate reason to pass a huge buffer length, especially
> since there's a limit on the length of pathname any syscall would accept.
> See https://www.spinics.net/lists/linux-fsdevel/msg200370.html for the
> variant I would prefer.
Sorry, yes, I agree with you, but never deleted this commit from this
"scratch" branch of mine. I'll go rebase the branch and purge it from
the system so that 0-day doesn't hit it anymore, sorry for the noise.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
2022-01-01 13:08 ` Greg Kroah-Hartman
@ 2022-01-01 18:40 ` Al Viro
-1 siblings, 0 replies; 8+ messages in thread
From: Al Viro @ 2022-01-01 18:40 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: kernel test robot, devel, kbuild-all, linux-kernel
On Sat, Jan 01, 2022 at 02:08:54PM +0100, Greg Kroah-Hartman wrote:
> On Fri, Dec 31, 2021 at 07:35:07PM +0000, Al Viro wrote:
> > On Sat, Jan 01, 2022 at 01:08:41AM +0800, kernel test robot wrote:
> > > tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
> > > head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
> > > commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
> > > config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp@intel.com/config)
> > > compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > >
> > > smatch warnings:
> > > fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
> >
> > What do you mean, "unsigned p->len"?
> >
> > ->len really *can* be negative - that's how running out of buffer is indicated.
> >
> > Greg, I stand by the comment I made back in July - this kind of "hardening" is
> > useless; there's no legitimate reason to pass a huge buffer length, especially
> > since there's a limit on the length of pathname any syscall would accept.
> > See https://www.spinics.net/lists/linux-fsdevel/msg200370.html for the
> > variant I would prefer.
>
> Sorry, yes, I agree with you, but never deleted this commit from this
> "scratch" branch of mine. I'll go rebase the branch and purge it from
> the system so that 0-day doesn't hit it anymore, sorry for the noise.
OK... I'll probably throw something along the lines of "negative => EINVAL,
positive greater than 32Kb - adjust the buffer and length to the last 32Kb
of what had been passed" into the misc queue.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
@ 2022-01-01 18:40 ` Al Viro
0 siblings, 0 replies; 8+ messages in thread
From: Al Viro @ 2022-01-01 18:40 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]
On Sat, Jan 01, 2022 at 02:08:54PM +0100, Greg Kroah-Hartman wrote:
> On Fri, Dec 31, 2021 at 07:35:07PM +0000, Al Viro wrote:
> > On Sat, Jan 01, 2022 at 01:08:41AM +0800, kernel test robot wrote:
> > > tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git debugfs_cleanup
> > > head: a04bbe0a2c7e98669e11a47f94e53dd8228bbeba
> > > commit: e95d5bed5d58c2f5352969369827e7135fa2261e [4/5] fs: make d_path-like functions all have unsigned size
> > > config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20220101/202201010156.bJvO7Gaw-lkp(a)intel.com/config)
> > > compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > >
> > > smatch warnings:
> > > fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero.
> >
> > What do you mean, "unsigned p->len"?
> >
> > ->len really *can* be negative - that's how running out of buffer is indicated.
> >
> > Greg, I stand by the comment I made back in July - this kind of "hardening" is
> > useless; there's no legitimate reason to pass a huge buffer length, especially
> > since there's a limit on the length of pathname any syscall would accept.
> > See https://www.spinics.net/lists/linux-fsdevel/msg200370.html for the
> > variant I would prefer.
>
> Sorry, yes, I agree with you, but never deleted this commit from this
> "scratch" branch of mine. I'll go rebase the branch and purge it from
> the system so that 0-day doesn't hit it anymore, sorry for the noise.
OK... I'll probably throw something along the lines of "negative => EINVAL,
positive greater than 32Kb - adjust the buffer and length to the last 32Kb
of what had been passed" into the misc queue.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-01-01 18:41 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-31 17:08 [driver-core:debugfs_cleanup 4/5] fs/d_path.c:59 prepend() warn: unsigned 'p->len' is never less than zero kernel test robot
2021-12-31 17:08 ` kernel test robot
2021-12-31 19:35 ` Al Viro
2021-12-31 19:35 ` Al Viro
2022-01-01 13:08 ` Greg Kroah-Hartman
2022-01-01 13:08 ` Greg Kroah-Hartman
2022-01-01 18:40 ` Al Viro
2022-01-01 18:40 ` Al Viro
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.